Security in the News – Week of December 16

Information Security

All Things D

People More Freaked Out by Hacking Than Tracking

December 20

Respondents to recent survey said hacking is a bigger concern than tracking.

 

CNN Money

Target: 40 Million Credit Cards Compromised

December 19

Breach of credit, debit card data may have affected 40 million shoppers who went to the store in three weeks after Thanksgiving.

 

Computerworld

Most iPhone Users Enable Activation Lock

December 18

Survey by San Francisco DA finds that there’s room for improvement in Apple implementation.

 

FBI Launches New Biometric Systems to Nail Criminals

December 19

Palm prints, iris images and mug shots join fingerprints in the FBI’s database, helping to identify the bad guys.

 

Help Net Security

Resurgence of Malware Signed with Stolen Certificates

December 16

Since 2009, variants of the Winwebsec rogue AV family have tricked users into believing computer is infected, paying for registering software to rid of non-existent threat.

 

Gamers Attacked 11.7 Million Times in 2013

December 16

Kaspersky Lab discovered PC gamers across Europe were hit by a massive number of attacks in 2013.

 

How Human Behavior Affects Malware and Defense Measures

December 17

Even the most security-conscious users are open to attack through unknown vulnerabilities, and best security mechanisms can be circumvented as a result of poor user choices

 

Top Eight Security Insights for 2014

December 18

BeyondTrust’s Advanced Research identified the top 8 pain points and big deals in security in 2014.

 

India Set to Escalate Internet Surveillance

December 18

Indian government to launch surveillance system capable of analyzing online communication in real-time, detecting words that indicate terrorist, criminal activity.

 

Teaching Children Information Security Skills

December 18

(ISC)2 Foundation discusses biggest online threats to kids and provides tips on how to teach children to stay safe online.

 

What’s the Greatest Security Risk?

December 18

Study by the Ponemon Institute.

 

Krebs on Security

The Case for a Compulsory Bug Bounty

December 17

Study presents economic case yet for compelling companies to pay for information about security vulnerabilities in products.

 

Network World

Phishing Messages Fall in 2013 Despite Better Targeting

December 18

Criminals are sending fewer phishing emails than year ago, but more skilfully targeted, says security firm Websense.

 

Proof Point

Attackers Making Malware Delivery More Secure

December 19

Attackers directly send SSL-protected URLs in targeted phishing emails that link to their malware which is almost always packed inside a zip file.

 

State of Security

Cloud Computing Adoption by Federal Agencies Increases 400%

December 19

Cloud security technology trends in federal government finds despite security concerns cited as roadblocks to cloud adoption, agencies rapidly expanding tadoption of cloud infrastructure.

 

We Live Security

NSA Saves World from Plot to Remotely Destroy PCs

December 16

International plot which would turn PCs into bricks by remotely triggering deeply buried malware foiled by NSA.

 

Biometric Smart ID Card Could Offer Ultimate in Portable Security

December 17

New smart ID card to eliminate hacking, identity theft using voiceprints, fingerprints, iris readings and connecting to mobile devices via Bluetooth.

 

s/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29">Holiday Shoppers Turning to Mobile to Bag Bargains, Ignoring Security Risk

December 19

40 believe convenience of shopping via mobile outweighed the risk.

 

Security and Crisis Management

No SCM news this week.

Security in the News – Week of December 9

Information Security

Computerworld

300 Victims Report Fake Support Calls to Security Org

December 10

Internet Storm Center collects info on scam for research.

 

Banks Shouldn’t Rely on Mobile SMS Passcodes

December 11

As mobile banking grows, malicious Android applications are increasingly intercepting one-time passcodes.

 

NASDAQ, Other Global Exchanges to Collaborate on Cybersecurity

December 12

World Federation of Exchanges creates working group to address cyberthreats against capital markets.

 

FireEye

Letting The Wrong Ones In: Email Security’s Big Blind Spot

December 13

Security professionals seem confident that email security gateways and SaaS providers can safeguard them from spear-phishing attacks.

 

Help Net Security

Popular Holiday-Themed Phishing Attacks

December 10

Holidays are busy, especially for hackers. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal.

 

Inadequate Electronic Disposal Protocols Can Lead to Security Leaks

December 10

IT departments’ decisions could inadvertently put orgs at risk of IS breach if they don’t have sufficient protocols for disposal of old electronic devices.

 

Visualizing Year’s Top Cyber Attacks

December 10

Red October, Kelihos, Syrian Electronic Army DNS Hijack, Syria Internet shutdown and Cryptolocker topped list of malicious events.

 

SC Magazine

Top Breaches in 2013

December 10

Sideshow.

 

CISOs of Global Firms Offer Insight on Effective Security Programs

December 10

CISOs, security execs at well-known companies provided recommendations to help enhance organizations’ security programs.

 

Security Affairs

ENISA Threat Landscape 2013 Report, Rise of Cyber Threats

December 12

ENISA Threat Landscape 2013, collection of information on top cyber-threats that have been assessed in reporting period.

 

State of Security

Chinese Hackers Targeted Europeans Before G20 Summit

December 10

Chinese hackers gained access to European ministries, with attackers sending malware-laden emails designed to infect target’s computers and eavesdrop on communications.

 

ThreatPost

Tech Giants Unite in Call for Surveillance Reform

December 9

Technology companies coalition calling for reform of surveillance practices, undermining trust in respective services, and nternet as a medium for communication and commerce.

 

Facebook Phishing Campaign Employing Malicious Tumblr Pages

December 11

New round of Facebook-related spam using fake messages about recent crimes involving recipients’ friends as a lure to direct them to Tumblr pages serving exploits.

 

64-Bit Version of Zeus Banking Trojan In The Wild

November 11

Researchers spotted new version of malware that uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and log keystrokes.

 

We Live Security

Microsoft Uses Telepathy To Warn Users Off Weak Passwords

December 9

Telepathy, comes from computing, illustrates which passwords are easy for a computer to guess the next letter as you type in a password.

 

Guide to APTs – and Why Most of US Have Little to Fear from These Cyberweapons

December 9

If you work for a government or large institution I’m pretty sure you are being targeted by an APT right now.

 

New Hesperbot Targets: Germany and Australia

December 10

November has been eventful, update on situation and malware developments.

 

2014 Security and Privacy Predictions

December 10

Trends in security and privacy ESET researchers are predicting for 2014.

 

Security and Crisis Management

Reuters

Suicide Bomber Attacks German Troops Near Airport in Afghan Capital

December 11

Suicide bomber attacked a convoy of German troops near international airport in Kabul, but there were no immediate reports of casualties.

 

News 24

Kenya Police Shot Near Somali Border

December 10

Gunmen killed five Kenyan policemen and wounded two in an ambush in troubled northeast border region close to war-torn Somalia.

 

Washington Post

Argentine Looting: 10 Dead, $90 million Lost

December 11

Argentina’s Cabinet chief is declaring end to police strikes and scattered looting, but violence continues in streets abandoned by officers demanding higher pay.

Security in the News – Week of December 2

Information Security

Computerworld

Bitcointalk.org Warns Passwords in Danger after DNS Attack

December 2

Some users are advised to change their passwords.

 

Enjoy Trip, Protect Data You Take

December 2

International travel can require some pretty strong security measures if your devices contain sensitive information.

 

Worm May Create Internet of Harmful Things

December 3

Symantec says it has found a Linux worm aimed at Internet of Things devices.

 

Dark Reading

Experts Predict Mass Attacks On Online Banking Users

December 3

Neverquest Trojan banker supports almost every trick used to bypass online banking security system.

 

340K New Malicious Websites Detected In Past 30 Days

December 3

Creation of new malware, spam, and phishing sites growing at unprecedented rates, report says.

 

Hacker News

Two Million Stolen Facebook, Twitter Login Credentials

December 2

Researchers found Pony Botnet Controller Server with 2 million usernames, passwords, stolen by cybercriminals.

Krebs on Security

Important Security Update for D-Link Routers

December 2

D-Link released security update for older Internet routers; patch closes backdoor in devices that could let attackers seize remote control over vulnerable routers.

 

Simple But Effective Point-of-Sale Skimmer

December 3

POS skimmers, fraud devices made to siphon bank card and PIN data at the cash register, have grown in sophistication over the years.

 

Net Security

Financial Services Cyber Security Trends for 2014

December 4

Years ago, questions directed at executives at financial services firms on risk management wouldn’t have mentioned cyber security, question today generates a much different answer.

 

Spoofed MasterCard Warning Delivers Malware

December 4

Email notifying users their MasterCard debit card has been blocked during holiday shopping has been landing in inboxes around the world.

 

Fake Amazon Order Status Emails Deliver Malware

December 4

Fake invoice scams are year round, but more effective during the holiday as more packages get delivered from online purchases.

 

Security Watch

Over 80% Of Employees Use Non-Approved SaaS Applications at Work

December 4

McAfee survey discovers worst offenders amongst those surveyed were those working in IT who used more unauthorized apps than coworkers.

 

Security Week

ENISA Releases Guide for Defending Against Attacks on Industrial Control Systems

December 4

ENISA, Europe’s cyber security agency, released guide to help organizations better mitigate attacks against Industrial Control Systems.

 

State of Security

Israel and Saudi Arabia Plot Cyber Attack on Iran’s Nuclear Program

December 2

Iran’s accuses Israel, Saudi Arabia of plotting to unleash a cyber-attack targeting elements of rogue nation’s ambitious nuclear program with malware similar to Stuxnet virus.

 

Vodafone Iceland Hacked: 77,000 Accounts Exposed

December 2

Vodafone Iceland breached by Turkish hacker group, Maxn3y, 77k customer records compromised in addition to defacement of company webpage.

 

Consumers Concerned about Mobile Shopping Security

December 3

In Q3, mobile malware threats also increased 26 percent, making consumers more vulnerable to mobile attacks than ever before.

 

We Live Security

Google Nexus Phones can be Remote-Crashed by SMS

December 2

Two recent models of Nexus Android handsets can be crashed remotely, simply by sending them a flurry of SMS text messages.

 

ZDNet

Biggest Malware, Security Threats in 2013

December 4

Assumed guilt ransomware tactics, mobile device cyberattacks and Mac-based threats were largest in 2013.

 

JPMorgan Chase Admits Network Hack; 465,000 Card Users’ Data Stolen

December 5

Banking giant suffered network breach that resulted in a large data breach, though, funds or critical personal information are not thought to been stolen.

 

Security and Crisis Management

BBC

Central African Republic Bozize Loyalists Attack Bangui

December 5

16 killed during fighting in capital of the Central African Republic (CAR), Bangui.

 

News 24

10 Killed in Mozambique Unrest

December 5

Mozambique’s government says Renamo rebels killed 10 during six weeks of unrest, warned military may soon go on the offensive.

 

Reuters

Seven Dead in Car Bomb Attack on Armed Convoy in Northern Somalia

December 5

Seven killed in car bomb on armed convoy escorting two foreigners working for a company training local security forces.

 

International New York Times

Assault on Yemeni Defense Ministry Compound Kills 52

December 5

Suspected members of Al Qaeda carried out a two-pronged attack on Yemen’s Defense Ministry HQs, blowing open compound entrance with car explosives, killing civilians in hospital.

Where and Why Agile Project Management Works

Plan, make decisions, and demonstrate your learning so you can succeed.

Move quickly from decision-making to action and innovation. Companies using Agile Project Management principles to run projects allows organizations with an Agile mindset to respond quickly and effectively to the complexity and uncertainty that characterize today’s business needs.

Illustration of Agile Project Management
What is Agile Project Management?

Broadly defined, Agile Project Management is an iterative process that focuses on customer value first, team interaction over tasks, and adapting to current business reality rather than following a prescriptive plan. Agile Project Management is based on the same organizational practices and key principles found in the Agile Manifesto.

The diagram below displays the differences between agile and waterfall development processes. By delivering working, tested, deployable software on an incremental basis, agile development delivers increased value, visibility, and adaptability much earlier in the life cycle, significantly reducing project risk.

value-prop

Agile Project Management is how you deliver high value and technical quality within your time and budget constraints. However, the principles go beyond software development. It’s a mindset for people who need a management approach that builds consensus quickly in a fast-paced environment.

Risk Mitigation
Time to Market
Budget Risk
Cancellation Cost
Scope Creep
Requirements Error
Technology Risk
Testing Risk

What the Analysts Say
1. Reduced time-to-market
2. Increased quality
3. Reduced waste
4. Better predictability
5. Better morale
Agile projects are 37% faster to market than industry average.

The Agile Paradigm Shift

agile1

 

What Agile is NOT
A specific methodology
– It’s an umbrella term for a set of approaches which share common values
“Glorified hacking”
– Rather, a synergistic set of highly disciplined practices
Working without planning
– Adaptive planning instead of following a plan
Suitable for all types of projects
– Unavailability of customers and pre-defined requirements may sway projects to other approaches
A silver bullet
– The project could still fail… but it will fail faster

Agile Manifesto for Software Development

Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
“While there is value in the items on the right,
we value the items on the left more”

12 Principles behind Agile Manifesto

1. Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.
2. Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.
3. Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.
4. Business people and developers must work together daily throughout the project.
5. Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.
6. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.

agile2

7. Working software is the primary measure of progress.
8. Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
9. Continuous attention to technical excellence and good design enhances agility.
10. Simplicity – the art of maximizing the amount of work not done – is essential.
11. The best architectures, requirements, and designs emerge from self-organizing teams.
12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Bottom Line Agile
Focus on customer value
Deliver early and often
Working software is the primary measure of progress
Inspect and adapt
Collaborative culture

The Scrum Framework

agile3

Scrum Project Lifecycle

agile4

agile5

 

Scrum is Light-Weight
• No mention of issues or risk management, quality assurance, configuration management, story boards, etc.
• Anything additional that you do needs to support the Agile manifesto.
• Any additions are inspected and adapted by the team as part of the sprint retrospective.

Scrum Framework

Roles
Agile Manager
Product Owner
ScrumMaster
Team

Practices
Release planning
Sprint planning
Daily stand-up
Sprint showcase
Sprint retrospective

Metrics
Sprint burndown chart
Release burnup chart

Agile Manager
• Coach, inspire, and lead teams more than they measure and manage them.
• Focus on the organizational environment’s ability to deliver value

“If you fail to honor your people, they will fail to honor you;
It is said of a good leader that When the work is done, the aim fulfilled, the people will say ‘We did it ourselves.’ ”

The Scrum Team = 7  (+/- 2 people)
• Scrum Master
• Product Owner
• Team

SCRUM MASTER
• Removes impediments
• Enforces values and practices
• Protects the team
• Develops team members skills
• Facilitates ceremonies
• Escalates issues on behalf of the team

PRODUCT OWNER
• Develops and communicates the vision
• Represents (or is) the customer
• One voice, even if not one person
• Develops the product roadmap and release plan
• Accepts or rejects work results
• Addresses team’s questions
• Grooms the backlog and sets priorities

The Team
Primary responsibilities
• Breaks down user stories into tasks
• Estimate tasks during Sprint planning
• Works on design/code/test/integration for each task
• Supports other team members
• Continues to work through tasks until no tasks remain in Sprint backlog
• Participates in sprint demos and retrospectives
Skillsets required
• Technical expertise
• Cross functional – analysis /design /development / testing
• Collaborative team player – voluntarily offers assistance as needed
• Good communicator – knows to ask for help so the team stays on track

Product Roadmap

agile6

Release Schedule
Release Schedule looks easy – but the confidence to commit requires the rigor of Release Planning

agile7

Sprint Planning
0) Estimate team capacity
1) Discuss highest priority story from the product backlog
2) Size the user story
3) Break story into tasks
4) Task owner estimates task in hours
5) Repeat 1-5 until capacity is reached

Plan to the Team’s Capacity
1. Collect available hours before the sprint planning session
2. Build in a buffer
3. Stop when the team reaches capacity
 Prevent over-commitment
 Ensure a sustainable pace
 Ensure that the team has enough work
 Level-load the work

Deduct Time from Capacity for the Following Scrum Practices
Release Planning Session
– ~4 hours
– at least once per release
Sprint Planning
– ~2 hours for each 2-week sprint
Daily Scrum
– 15 minutes per day
Sprint Showcase
– 1.5 hours per sprint
Retrospective
– 30 minutes per sprint

Commit to the Work
“On a scale of 1 to 5, how confident are you that we can complete the user stories in the sprint plan by the end of the sprint?”

Daily Scrum or Standup
• Brief (10-15 min) daily meeting
• Assures continual team communication
• Drives accountability (peer-pressure, transparency)
• Demonstrates day-to-day progress to all team members and stakeholders

Everyone answers 3 questions
1. What did you do yesterday?
2. What will you do today?
3. Is anything in your way?
These are not status for the Scrum Master, they are commitments in front of peers.

Sprint Showcase
Two Parts
• Review of sprint metrics
• Live demonstration by the people who did the work
Informal
• 2-hour prep time rule
• No slides
Invite all interested parties
Open forum – collect feedback

The Definition of Done
Each delivery team needs to define their definition of when a user story is considered to be “DONE.”
For example:
 Has the code been promoted to QA/TEST environment?
 Has the code passed functional testing?
 Has documentation been updated?
 Has the code undergone peer code review?
Only when a user story meets all the criteria of done, (i.e., DONE/DONE) can the team claim credit for completing the story/functionality.
Note: Incomplete work cannot be demonstrated!!

Commit-Accept (Say-Do) Ratio
This diagnostic metric reflects team progress by completion of its work commitment.
Total story points accepted by the Product Owner Total story points committed for completion by the team
The higher the Say-Do Ratio, the better. For instance, if a team commits to finishing 40 story points in a sprint, and the PO only accepts 36 story points, the Say-Do Ratio equation is:
(36/40)*100 = 90%
Benefits:
A team can identify/inspect delivery problems then take corrective action(s) as required.
By meeting its work commitments, a team build trust with the PO/client supported.

Sprint Retrospective

agile8

• Team reviews sprint successes and short falls
• What could be done different in subsequent sprint?
• Build in continuous improvement to agile process
• Vital to success of agile development

Net Promoter Score How do customers feel about our product?

agile9

Promoters (score 9-10) Loyal enthusiasts who will keep buying and refer others, fueling growth.
Passives (score 7-8) Satisfied but unenthusiastic customers who are vulnerable to competitive offerings.
Detractors (score 0-6) Unhappy customers who can damage your brand through negative word-of-mouth.

Sprint Burndown Chart

agile10

 

Scrum Team Velocity
Velocity is the average number of user story points a delivery team completes during a sprint. It’s used to gage of how much work a team is capable of delivering. Benefits:
• Team velocity enables the Product Owner to forecast how much work a team can be expected to complete – based on the team’s own estimate of effort.
• With an established team velocity, the Product Owner can plan future releases with improved predictably.
The team’s goal is to gain and sustain a consistent velocity across releases.

User Stories
Purpose of User Story
A user story is an agreement to have a conversation

Product Backlog – “The Work”
• Owned and maintained by the Product Owner – stack ranked by business value offered – most important at top
• Master list of desired product functionality expressed as user stories
• One Product Backlog per delivery team
• Initiates the development process
• High priority items are used to create the Sprint Backlog
• Each user story provides value
• Grows & changes as more information is acquired

Sample Backlog Grooming Checklist
 Prioritize stories
 Clarify stories (e.g., title, description, notes, etc.)
 Assign initial point estimates (i.e., 1, 2, 3, 5, 8, 13, 20, 40, 100)
 Break down “epics” into smaller stories
 Identify any risks and dependencies
 Tag stories (e.g., administrative, technical spike, CRM, etc.)
 Add acceptance criteria
 Add any known tasks
 Change status in Rally from “B” (backlog) to “D” (defined)

Breaking Down User Stories
Right-Sizing Stories

agile11

Splitting User Stories
Remember: Don’t split or detail Product Backlog Items until they are declared sufficiently valuable for the product

Estimating User Stories
Estimating Effort
We’re not very good at estimating…
Relative Sizing
Begin by estimating the effort for what the team agrees is a medium story
Estimating Effort
Story 1/2/3 – Complexity, Effort, Doubt

Planning Poker
1. Read the user story, discuss briefly to ensure clarity
2. Each team member selects an estimate card Fibonacci sequence (1, 2, 3, 5, 8, 13) — any higher (20, 40, 100) means story needs more clarification
3. Cards are all turned over at once
4. Discuss the high and low cards
5. Re-estimate once more
6. SM makes the final call

Planning Poker acts to:
• Identify consensus quickly
• Democratize the discussion, so we hear from all voices!
• Uncover assumptions
• Team learns to collaborate on decisions

Summary:
Agile Manifesto for Software Development
Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan
“While there is value in the items on the right, we value the items on the left more”
http://agilemanifesto.org/

The Scrum “Fractal”

agile12

 

Security in the News – Week of November 25

Information Security

Computerworld

Blackshades Malware Still being Sold

November 25

Symantec has seen an uptick in infections as well as command-and-control servers.

 

Malware: War Without End

November 26

May be facing a stalemate, or evolving a new cyber biosphere.

 

Neverquest Trojan Threatens Online Banking Users

November 26

Attackers could start to aggressively distribute malware, Kaspersky Lab researchers warn.

 

InfoSecurity

Symantec CEO Declares IP Theft Greater Threat Than Cyber War

November 26

Threat of intellectual property theft is more dangerous than cyber war, bringing the potential to have a big negative impact on global economic growth.

 

Krebs on Security

Spam-Friendly Registrar Dynamic Dolphin Shuttered

November 25

Revoked charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime.

 

Security Affairs

Report on Commodities Value in the Cyber Criminal Underground Market

November 25

Security experts explore online underground marketplace for stolen data.

 

Chinese Hackers Targeting US Cloud Service Providers

November 26

US, China Economic and Security Review Commission reports cloud computing represents a potential espionage threat.

 

State of Security

Hackers Hit European Bitcoin Payment Processor BIPS for $1 Million

November 26

European Bitcoin payment processor BIPS was victim of cyberattack resulting in theft of 1,295 Bitcoin, worth $1 million.

 

Anonymous Claims Responsibility for Microsoft Website Crashes

November 27

Anonymous behind intermittent downtime of Microsoft websites, including Hotmail.com, Microsoft.com, Live.com, Outlook.com and MSN.com, part of Operation Killingbay.

 

We Live Security

Twitter Ramps up Security for Users, Approach Should be New Normal

November 25

Twitter unveiled serious security upgrade to protect its users’ data from cyber-snooping.

 

Security and Crisis Management

all Africa.com

Central African Republic Powerless to Resolve Crisis, Security Council Told, As Regional Leader Urges Stronger Mandate for Support Mission

November 25

Central African Republic was failed State headed by a fragile transitional government, powerless to bring country out of crisis.

 

al-Arabiya News

Army on Alert after Benghazi Clashes

November 25

Libya’s army declared state of alert, ordered troops to report for duty after clashes with militant group in Benghazi led to the death of nine soldiers.

 

Channel NewsAsia

China Faces Threat of More Terror Attacks

November 25

China faces a serious terror threat, the foreign ministry said Monday after a fiery attack in Tiananmen Square and domestic media reports of nearly 200 “terrorist” incidents in Xinjiang last year.

 

English.news.cn

Cambodian Opposition Urged to Avoid Violence in Protest

November 26

Cambodian Tourism Minister urged main opposition party to avoid violence when it holds a mass rally next month in tourist destination, Siem Reap.

France 24

French Police Train Brazil For Olympic Crowd Control

November 25

French riot police, accustomed to managing daily public demonstrations, are training Brazilian counterparts in anticipation of widespread public protests at 2014 World Cup, 2016 Olympics.

Security in the News – Week of November 18

Information Security

Analysis Intelligence

Measuring the Media Impact of Hacktivists

November 19

Seeking anon-zero metric, consider amount of media coverage an organization receives to be a yardstick for success.

 

Computerworld

Adoption, Privacy Biggest Topics as NIST Cybersecurity Framework Nears Deadline

November 18

Feedback from cybersecurity specialists, attorneys, policymakers, government employees; offer guidance in applying and updating.

 

Why Network Security is Foundation for Cyber Strategy

November 19

As government orgs continue to deal with increasing cyber threats, those who protect digital assets have no silver bullet.

 

Hackers Exploit JBoss Vulnerability to Compromise Servers

November 19

Hackers exploit exposed JBoss management interfaces and invokers to install Web shells on servers.

 

Targeted Internet Misdirection on Rise

November 19

Traffic from financial firms, government agencies, VoIP providers quietly hijacked and rerouted through ISPs in Iceland.

 

Kaspersky Labs

All You Need to Know About APTs

November 18

APTs one of the most dangerous in computing world; unravel attack characteristics and way organizations, individuals can protect.

 

Krebs on Securtiy

vBulletin Breach Prompts Password Reset

November 18

Attackers broke in using a zero-day flaw now being sold online, vBulletin aware of attacks against current versions of product.

 

Don’t Like Spam? Complain About It

November 19

Underground service designed for spammers seeking to avoid anti-spam activists.

 

Security Affairs

Energy Industry Warned Over Threat of Cyberattacks

November 19

Energy industry continues to be privileged target for cyber-attacks of hacktivists, state-sponsored hackers and cybercriminals.

 

State of Security

Unsecured Public Networks Putting Travelers at Risk

November 18

Travelers are aware of risk, but not taking steps to protect personal data, systems when accessing public WiFi.

 

Threat Post

CryptoLocker Email Attachments Sent to Tens of Millions in UK

November 18

UK online banking customers are targets of dangerous spam campaign enticing users to open attachment with ransomware.

 

EFF Scorecard Shows Crypto Leaders and Laggards

November 20

Article examines encryption capabilities of 18 leading Internet companies.

 

TrendMicro

Spike in Health-Themed Spam Marks September-October Spam Threats

November 19

In the past few weeks, we’ve seen drastic and noteworthy increases in the number of health-related spam in the wild.

 

We Live Security

Tens of Millions at Risk from Filecoder Due to Mass Email Spam Event Targeting Small Businesses

November 18

The malware is transmitted via emails that appear to come from banks, financial institutions, National Cyber Crime Unit warns.

 

Does Your Mouse Know it’s You?

November 20

Researchers claim patterns can “fingerprint” users – and lock out imposters.

 

Security and Crisis Management

Al Arabiya

Truck Bomb, Attacks Kill at Least 48 in Iraq

November 22

Truck bomb tore through outdoor market in NE Iraq, the deadliest of attacks.

 

Lebanon Army Defuses Car Bomb in Hezbollah Bastion

November 22

Lebanese army defused car bomb in Bekaa Valley, stronghold of Iranian-backed Hezbollah.

 

Rianovosti

Russian Neo-Nazis Jailed for Bombing Plot

November 22

Moscow court convicted white supremacists of planning to detonate bomb at antifascist concert.

 

Reuters

Guinea Clashes Kill One; Injure Nine after Journalist Targeted

November 18

One killed, nine others injured during clashes in Guinea’s capital after journalist critical of President targeted for assassination.

Security in the News – Week of November 11

Information Security

Computerworld

British Spies Reportedly Spoofed LinkedIn, Slashdot to Target Network Engineers

November 11

Key employees from telecommunication companies were redirected to pages that installed malware on computers.

 

Help Net Security

Cryptolocker Surge Directly Tied with Blackhole Downfall

November 11

Cryptolocker, most widespread, visible and deadly threats is directly tied to arrest of creator of Blackhole, Cool exploit kits.

 

Complexity of Android Malware is Increasing

November 11

259 new mobile threat families and variants of existing families were discovered by F-Secure Labs in third quarter of 2013.

 

GCHQ Hacks GRX Providers to Mount MitM Attacks on Smartphone Users

November 11

Government Communications Headquarters, UK equivalent of NSA, compromised Global Roaming Exchange providers.

 

Krebs on Security

Facebook Warns Users After Adobe Breach

November 11

Facebook is mining data leaked from recent breach at Adobe in an effort to help its users better secure their accounts.

 

Feds Charge Brothers in Cyberheists

November 14

Brothers charged with masterminding a series of cyberheists that siphoned millions of dollars from personal, commercial bank accounts at US banks and brokerages.

 

Network World

10 Mistakes Companies Make after Data Breach

November 13

Experian Data Breach Resolution outlines mistakes after a breach.

 

Research Shows Arms Dealer Used in Cyberespionage Attacks

November 14

Companies battling tireless cyberespionage campaigns may be against well-organized attackers fed steady stream of malware from talented developer of cyber-arms.

 

Security Affairs

Brazilian Banking Threatened by Malware Embedded Inside RTF File

November 11

Clients of Brazilian financial institutions hit by banking trojan embedded in RTF file, spread through spam campaign.

 

New Modular Malware Platform Sold Underground

November 14

Security researcher profiles new commercially modular malware platform recently released on the underground marketplace.

 

Security Dark Reading

Research Into BIOS Attacks Underscores Their Danger

November 14

Researcher attempts to track down digital ghost in network, whose presence is felt in strange anomalies, odd system behavior.

 

State of Security

Backdoors and Hardware Attacks

November 13

Capillary diffusion of technology has important consequence. Hardware has to be properly analyzed during acquisition and qualification phases of the supply chain.

 

The New York Times

Adobe Breach Inadvertently Tied to Other Accounts

November 12

Security breach at Adobe in which hackers gained access to tens of millions of encrypted passwords and email addresses.

 

TrendMicro

3Q Security Roundup: Invisible Web, One Million Mobile Malware

November 11

Third quarter of year shone spotlight on parts of hidden Internet that would have preferred to remain hidden.

 

We Live Security

More D-Link Routers are Vulnerable to Attacks

November 12

Vulnerabilities discovered in D-Link router, leaving device vulnerable to attacks via web interface, only weeks after discovery of a backdoor in other D-Link devices.

 

Massive War Game Batters London’s Banking System with Simulated Cyber Onslaught

November 12

War game scenario tested thousands of London’s investment banking staff against major cyber-attack on stock exchanges.

 

Big Banks Face High Risk Security Incidents Via Web Apps

November 14

Half of 50 biggest banks faced security incidents affecting web applications. 15 percent of incidents classified as high, critical risks.

 

Security and Crisis Management

BBC

French Priest Kidnapped in Cameroon

November 14

French priest kidnapped close to border with Nigeria.

 

Reuters

Three Killed in Clashes in Central African Republic’s Capital

November 13

Three killed, several wounded in Central African Republic’s capital Bangui in clashes between security forces, former rebel fighters.

 

The Washington Post

Attackers Throw Gasoline Bomb at Passenger Van in Nepal During Opposition Strike

November 13

Attackers hurled gasoline bomb at van in Nepal’s capital during opposition-called transport blockade.

Security in the News – Week of November 4

Information Security

Help Net Security

Most Users Don’t Trust App Developers with Data

November 5

1K employed consumers surveyed in the UK, only 4% named makers of mobile phone apps as entity they most trust with their personal data.

 

Most Visits to Login Page by Malicious Tools

November 6

Survey revealed 1K websites over a 90-day period recorded over 1.4 million unauthenticated access attempts and 20,376 authenticated logins.

 

Malware Peddlers Test New Infection Techniques

November 6

Ongoing malicious spam impersonating UPS has shown malware peddlers experimenting with different approaches for infecting hapless users.

 

Cybercrime Gangs Seek Victims in Untapped Markets

November 7

639 unique brands were targeted by phishing attacks, topping 614 seen in 4Q 2012.

 

Employees Stuck with Unauthorized File Sharing Services

November 7

81% employees access work documents on the go, in absence of enterprise-grade file sharing alternative.

 

Silk Road 2.0 Goes Online

November 7

Another Silk Road has been resurrected from the ashes of the old one, an infamous underground market.

 

Cybercriminals Opting for Real-Time Malware Campaigns and Phishing

November 7

3Q 2013 saw further use of real-time malware campaigns and a dramatic increase in phishing sites.

 

The Register

Off your Bikie Laws: Anonymous to Queensland Premier

November 4

Online threat, real-world d0x … makes a nice change from website defacing.

 

The State of Security

Data Breaches Correlate to Identity Theft and Fraud

November 4

If personal data is compromised, greater than 1 in 4 chance you will be victim of identity theft resulting in fraud within the year.

 

Server Security Survey Reveals Problems Detecting Advanced Attacks

November 5

Organizations having increasing difficulty detecting, mitigating advanced attacks aimed at network servers, relying on ineffective technologies.

 

Threat Post

US-CERT Warns CryptoLocker Infections on Rise

November 6

Devious evolution of now-familiar ransomware schemes in which malware encrypts files on a number of network resources and demands a ransom for decryption key.

 

We Live Security

Mysterious Malware Jumps Between Disconnected PCs

November 4

Mysterious, indestructible strain of malware can infect PCs, Macs and Linux machines, jump between machines with cables, Ethernet, WiFi and Bluetooth pulled out.

 

Adobe Breach Reveals Really Terrible Passwords Still Popular

November 5

Adobe’s security breach bare 38 million passwords to the world, 2 million are simple 123456.

 

Facts About Morris Worm, 25th Anniversary

November 6

Details on one of the most important pieces of malicious code in the history of malware.

Startup Rising

Another fantastic read involving Marc Andreessen:
Startup Rising – The Entrepreneurial Revolution Remaking the Middle East
Authored by Christopher M. Schroeder
Foreword by Marc Andreessen

A walk through of the Foreword reveals  brilliant insight to the potential entrepreneurial uprising of Middle East.

I sure hope Schroeder is right.  In many ways he clearly is.  That software has taken over and changed many aspects of the global economy in less than a decade is now clear.   Companies that are descriptively software enterprises – Google, Facebook (on whose board I serve), Twitter, Airbnb, Pintrest, and many others – have opened up human connections, access to knowledge, and new business models unforeseen before they existed.  Software-powered startups have disrupted almost every traditional consumer-facing experience from books to music to travel to video entertainment and gaming to shopping to telephony and beyond.

But, this is only part of the story.  Today almost every company is, in some form, a software company.  Look at the dashboard of your car and consider how today’s engines work.  Think about the sophistication that allows you to safely bank online.  Next time you buy a cup of coffee with a credit card, fill your car with gas, or shop at Wal-Mart, ask how remarkable innovation in software has allowed their logistics to scale.  In 2011, I wrote in the Wall Street Journal that “software is eating the world,” and software’s appetite has increased dramatically since then.  Traditional enterprises like Kodak and Borders that at best paid lip service to software innovation, at worst ignored it, and are in an existential crisis – not in some theoretical future, but right now.

Schroeder is also right in describing the three forces that are driving tech innovation from unexpected corners of the globe and that a new generation of entrepreneurs take for granted:
1. How technology offers an irreversible level of transparency, connectivity, and inexpensive access to capital and markets;
2. How over two decades of experience in navigating emerging market investment has made regional and global capital more comfortable with political risk and understanding local market distinctions;
3. That with rapidly increasing access to technology there are large, untapped markets of consumers and businesses seeking greater software solutions.

To his three I would add a fourth: after twenty years of hard work by many talented people, all the technology required to transform industries through software finally works and can be widely delivered at global scale.  And these are the earliest innings.  I believe within a decade there will be five billion people using smartphones worldwide – the equivalent computing capacity of a supercomputer and the full power of the internet on everyone’s person, all the time, everywhere.  Schroeder notes that experts tell him to expect 50 percent penetration across the Middle East in three to five years.  What this will yield in problem-solving and opportunity-building is limited only by one’s imagination.

Schroeder is provocative and likely right, that we in Silicon Valley risk being hyper-focused on ourselves and our own echo chambers.  There is no question that the network effect of talent – that world-class entrepreneurs, engineers, and design talent want to be with and are attracted by the best – has made Silicon Valley unique in the history of global innovation.  That we historically have through of emerging growth markets as either places to sell our products and services or relatively inexpensive outsourcing opportunities is limiting.  If everything I have written here is true, innovation will clearly come from surprising places when great talent has access to software.  Our answer has historically been to focus on such talents when we can bring them to Silicon Valley – which is why I have been an active supporter of the greater number of young entrepreneurs having access to the H-1B visa.  At the same time, we will need to think differently if talent progressively wants to stay home and innovate.

Whether the remarkably talented entrepreneurs in the Middle East can scale and build regionally and globally competitive software at scale is still, for me, however, the central question – certainly a billion-dollar question, and ultimately a trillion-dollar question.

The stories of great entrepreneurs and ideas Chris describes are inspiring and potentially game changing.  Middle Eastern entrepreneurs are spawning startups in education, crime prevention, traffic management, recycling, renewable energy, health, entertainment, education, and beyond, solving real challenges and finding new opportunities that can change societies.  And they may change the world.  Could, he asks, unique experiences in the region spawn globally adopted software in spaces like mobile, social networks, and solar energy?

Culture and ecosystem, however, mean everything, and these entrepreneurs face real headwinds.  There are  disappointingly few Middle Eastern governments and educational institutions seriously tackling the difficult decisions required to change downward trajectories in infrastructure at scale and speed.  In fact, with a recent increase in internet restrictions in the region, Schroeder rightly points out that governments are not only hindering communication and transparency, but the very platform of economic growth that I believe will drive any successful country in the coming decades.

He raises an intriguing idea that regional entrepreneurial ecosystems are being built anyway, bottom up, enabled by access to software.  There is a line that stands in my mind from one of the leading entrepreneurs in the region: there is no “wasta” – the system of favors and “Who do you know?” that has driven so much of life from getting into a good school to finding a good job – on the internet.  A similar sentiment was expressed by the new regional head of LinkedIn, who noted that platforms like theirs emphasize transparency connecting job seekers based on their real skills and performance.  Millions of people are using social networks, YouTube, and hundreds of startups in the region to take control of and improve their own lives.  Perhaps this new generation will build new models of economic success despite the daunting challenges caused by political and institutional neglect.

The demographics of the Middle East are most telling to me – and are a double-edged sword.  The vast numbers of young people coming into adulthood mean an unprecedented talent pool to create and innovate.  Traditional business models simply cannot absorb them, and entrepreneurship will have to be part of the answer.  If embraced by their societies, I’d rather have this challenge than countries now facing a decrease in youth.  Ignored, however, the ramifications could be more generationally catastrophic.  In many ways, emerging growth markets are making specific decisions about whether to embrace the new realities of the twenty-first century or hunker down in the missed opportunities often repeated in the twentieth.

I suppose if these entrepreneurs are not embraced at home, it’s good news for Silicon Valley people like me.  As Schroeder notes, there has never been a time in history where talent has been more mobile.  Our doors are always open to great entrepreneurs who want nothing more than to build what was not there before.

But a unique opportunity is at hand for any society that actively embraces it.  Startup Rising offers a remarkable narrative most of us don’t consider when thinking about the Middle East.  But it makes sense, and these courageous entrepreneurs and ecosystem builders are clearly on the right side of history.

Marc Andreessen
Palo Alto, California, 2013

Security in the News – Week of October 28

Information Security

Computerworld

ATM Malware May Spread from Mexico to English-Speaking World

October 28

Attacker can command an unidentified ATM brand to empty cash cassettes through keypad commands.

 

British Man Charged with Hacking NASA and US Military Computers

October 28

The man allegedly worked with others in Australia and Sweden to plant backdoors and steal confidential data.

 

Help Net Security

Traditional Security Models Becoming Exhausted

October 28

Gartner predicts traditional security models will be strained by 2020; 60 percent of enterprise IS budgets will be allocated for rapid detection and response approaches.

 

Buffer Hacked, Customer Accounts Misused to Send Out Spam

October 28

Buffer, popular online service for managing one’s social media presence by scheduling posts on Twitter, Facebook and LinkedIn, was hacked resulting in spam posts.

 

Characteristics of Effective Security Leaders

October 28

IBM study of security leaders reveals they are increasingly being called upon to address board-level security concerns; becoming more strategic voice within organization.

 

AmEx Users Targeted with Well-Crafted Phishing Scheme

October 29

Well-executed phishing campaign targeting AmEx users via fake “Fraud Alert: Irregular Card Activity” emails impersonating AmEx fraud department.

 

Big Data and Intelligence Driven Security

October 29

As we produce, consume an increasing amount of digital data, even casual user is becoming aware that the way we store and access this data will continue to shift and expand.

 

Photoshop Source Code Stolen, 38M Users Affected in Adobe Hack

October 29

The damage is larger than initially thought regarding the attack against Adobe’s networks earlier this month.

 

Counterfeit Money Detector Easily Hacked to Accept Fake Money

October 30

Simple electronic devices can be easily hacked, because security is at bottom of things to care about when creating them.

 

Network World

Five Styles of Advanced Threat Defense can Protect Enterprise from Targeted Attacks

October 31

To stop stealthy malware-based attacks, Gartner says use network traffic and payload analysis, forensics.

 

Threat Post

LinkedIn Defends Intro Security as Researcher Goes Phishing

October 28

LinkedIn new Intro app for iOS provides high-level transparency into how it handles communication between devices and its network.

 

We Live Security

Major Road Artery in Israel was Paralyzed by Cyberattack

October 28

Attackers used Trojan program to target security camera system in Carmel Tunnels toll road, shutting down road for hours, causing hundreds of thousands of dollars in damage.

 

Artificial Intelligence Firm Claims to Have Cracked CAPTCHAS

October 28

Company claims to have cracked CAPTCHAs, standard word tests used to tell humans and computers apart online.

 

President Obama’s Twitter and Facebook Accounts Hijacked by Hacktivist Group

October 29

President Twitter, Facebook accounts compromised this week, two Tweets and one post altered to send links to video montages of terrorist attacks.

 

Big Companies Still Fall for Social Engineering by Phone

October 31

Major companies are still handing out information to hackers using the most basic tool of all – the human voice.

 

Security and Crisis Management

Aljazeera

Four French Hostages are Freed

October 29

French hostages kidnapped by al Qaeda’s North African arm three years ago in Niger have been released.

 

BBC

Bomb Found at Stormont Castle in Belfast

October 29

Letter bomb addressed to Northern Ireland Secretary of State has been made safe by the Army at Stormont Castle in E. Belfast.

 

Reuters

Suicide Bombers Kill 11 military, Police in Iraq Dinner Attack-Police

October 30

Suicide bombers kill 11 military and police officers, wounded 19 by blowing themselves up outside a Sunni militia leader’s house in northern Baghdad as he was hosting dinner.

 

New York Times

Venezuela Seeks to Tame Wild West Motorcycle Chaos

October 31

Choking traffic, causing pileups and even ambushing drivers, Venezuela’s hordes of motorcyclists are increasingly high-profile problem for the new government.